Loginsearch.ps1 - Utility for searching for logon events

Loginsearch.ps1 - What is it?

Loginsearch.ps1 is a small PowerShell script that collects information useful to Umbrella Support for troubleshooting purposes. It is helpful should you be troubleshooting why certain users are not showing the correct activity in the reports or activity searching on the OpenDNS Umbrella Dashboard, however can also be used to troubleshoot other types of issues.

It should be run on any standard Domain Controller as login events should be replicated between DC's. However, IF when searching you see no events and are expecting to see them from a particular host, there may be an issue replicating event logs between servers. In this instance find out the %LOGONSERVER% used by that host, and then run the script on the Domain Controller specifically indicated. If you STILL see no events, make sure that logon events are being audited.

The script is attached to the bottom of this article. The information gathered can be used for troubleshooting either by yourself or by OpenDNS Support.

How do I run the script?

Easy! Follow the steps below:

Download the text file attached and rename the extension from '.txt' to '.ps1'.

Note:

Be careful of double extensions, and don't accidentally name it ".txt.ps1'

Then from a Windows server, open a new PowerShell window that was started by 'Right-Click -->Run as Administrator'. Navigate to the location you saved the script to (eg: 'cd C:\Users\admin\Downloads') and execute the script by typing .\loginsearch.ps1.

The script will first prompt for the username you want to search the Windows security event logs for, and then for a specific IP address if you prefer to search by IP. You'll just need to follow the on-screen prompts. Either one or the other (Username or IP) searches can be used individually, or both can be used at the same time, should you want to limit search results to a specific User AND IP address at the same time.

The script is quick to run. When it has finished you should see the output both on the screen, which contains time stamps. Additionally complete export of each event log entry represented on the screen located in 'C:\%hostname%.txt' This can be useful should you want to dig further into a specific event.